Avoid side channel leakage when decoding private data #53
Conversation
As well as the existing one, benchmark reading zen.pem and a typical client operation (reading /etc/ssl/certs/ca-certificates.crt). Use criterion for local workflow (tracking results over changes).
This is different to that provided by base64ct crate, as it can be used to correctly to implement RFC7468, specifically this clause: > parsers SHOULD ignore whitespace Since we have seen whitespace in the base64 section (and have a test case for that!) this implementation discards whitespace without exposing private inputs to `u8::is_ascii_whitespace` beforehand.
ctz
force-pushed
the
jbp-base64-side-channels
branch
from
0f3295e to
1ef45c2
Compare
|
If we're going to use our own base64 implementation, should we inline this directly into pki-types instead of using the separate crate? (We could use an off-by-default Cargo feature depending on the compile-time impact of this code.) |
|
Yeah I think that would be reasonable. We could also publish a final version of this crate which is just |
|
That depends on what the API in pki-types would look like, I guess? Was thinking we might more closely align the API to the new types, but I suppose we might want to close the side channel for current rustls-pemfile 2.x users? |
Maybe something like:
WDYT about also extending this commit-set to add a test that decodes the |
That means rustls-pki-types 1.x would forever be stuck with a sort-of general purpose base64 decoding API, which seems suboptimal? |
Fair point. In that case I think we probably need to decide between not fixing the side channel in the 2.x release stream or leaving |
|
How about:
|
|
I definitely think it's possible to have our cake and eat it, too. I was thinking something like this:
IMO getting a nice PEM API for pki-types will be most important for the long-term, so IMO that should be first on the list. I think we'll want to retain I was thinking something like this: trait FromPem {
fn from_pem(rd: &mut impl BufRead) -> Result<Self, Error>;
}Like in my rustls-native-certs PR, we could opt to implement a custom error type instead of yielding |
|
@djc I like this plan. Assuming Ctz does too is it something you want to execute yourself or would it be helpful to get the ball rolling? I think I'll have some capacity after finishing a rustls-ffi release. |
Would be helpful if someone else can get the ball rolling! |
|
I will have a go at proposing a starting point on the pki-types repo. |
Had this on the back burner for a while.
This introduces a base64 decoder into this crate, which is customised to:
(1) means we can remove the whitespace skipping we do beforehand. (2) is bought into play only when parsing sections that contain private keys.
This PR also improves benchmarking, to see what effect switching away from rust-base64 had -- it is approx 60% slower for certificate-only workloads.
Another option would be to retain the rust-base64 dependency, but restore the whitespace stripping just before calling into it.